A recently resolved Linux kernel vulnerability, dubbed CVE-2024-26983, deals with an issue associated with the boot config (bootconfig) usage of 'memblock_free_late' to free xbc memory to buddy. This vulnerability could lead to use-after-free (UAF) bugs in certain architectures. In this post, we will discuss the vulnerability, and provide a code snippet and links to the relevant references.

Problem

In the Linux kernel, the function xbc_exit(), which is responsible for freeing xbc memory, used to call memblock_free(). However, this could result in use-after-free (UAF) bugs on architectures with CONFIG_ARCH_KEEP_MEMBLOCK disabled, such as x86. This is because, by the time xbc_exit() is called, the memblock may have already handed over memory to the buddy allocator. The following KASAN logs show this issue:

[    9.410890] ==================================================================
...
[    9.597476] page dumped because: kasan: bad access detected

[    9.605362] Memory state around the buggy address:
...
[    9.634930]                    ^
[    9.638534]  ffff88845dd30080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[    9.646605]  ffff88845dd30100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[    9.654675] ==================================================================

Solution

To fix this issue, the Linux kernel now uses memblock_free_late() instead of memblock_free() in the xbc_exit() function. This change ensures that memory is correctly freed to the buddy allocator. Memblock_free() is still called in the early xbc init error rewind path.

Code Snippet

...
// xbc_exit(): now calls memblock_free_late()
void xbc_exit(void) {
  ...
  memblock_free_late((phys_addr_t)xbc.data, xbc.len);
  memblock_free_bootstrap_mem();
  xbc.data = NULL;
  xbc.avail = NULL;
  xbc.len = ;
  ...
}
...

Original References

1. Linux Kernel Mailing List (LKML) patch submission
2. Linux Kernel commit implementing the fix

Exploit Details

Although there is no known exploit code circulating in the wild, attackers could potentially leverage this vulnerability to cause UAF bugs and potentially gain unauthorized access to affected systems. It is highly recommended to update the Linux kernel to a version containing the patch, to mitigate this vulnerability.

Timeline

Published on: 05/01/2024 06:15:15 UTC
Last modified on: 05/29/2024 05:26:24 UTC